Security News > 2020 > June > GnuTLS patches huge security hole that hung around for two years – worse than Heartbleed, says Google cryptoboffin
GnuTLS, a widely used open source library implementing Transport Layer Security, last week fixed a bug that had been hiding in the code for almost two years that made resumed TLS 1.3 sessions vulnerable to attack.
The flaw allowed GnuTLS servers to use session tickets issued during a previous secure TLS 1.3 session without accessing the function that generates secret keys, gnutls session ticket key generate().
The bug, introduced in GnuTLS 3.6.4, was fixed in GnuTLS 3.6.14.
Ayer has been critical of GnuTLS in the past, referring to it as a "Clownish" TLS implementation in a blog post about the expiration of Sectigo's AddTrust legacy root certificate, which affected GnuTLS. Others echoed his disdain for GnuTLS, with some arguing for its removal as a dependency.
"Never use GnuTLS," quipped Thomas H. Ptacek, a security researcher and founder of Matasano Security.
News URL
https://go.theregister.com/feed/www.theregister.com/2020/06/10/gnutls_patches_security_hole/
Related news
- Google Patches 47 Android Security Flaws, Including Actively Exploited CVE-2024-53104 (source)
- Google patches odd Android kernel security bug amid signs of targeted exploitation (source)
- Google Chrome's AI-powered security feature rolls out to everyone (source)
- Google's March 2025 Android Security Update Fixes Two Actively Exploited Vulnerabilities (source)
- Why The Modern Google Workspace Needs Unified Security (source)
- Google paid $12 million in bug bounties last year to security researchers (source)
- Google Acquires Wiz for $32 Billion in Its Biggest Deal Ever to Boost Cloud Security (source)
- Google to purchase Wiz for $32 billion in cloud security play (source)